96c0d4914e76b1fa9375ae0aae11d1fc7e0929c7dccadc9fc2a13a32c3ff3ec1

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe
Size

177KB
MD5

0d84b7c7410b3d41b0c7079cd8907c38
SHA1

41405d26248bfe86df3927af45d04c71a2d793e3
SHA256

96c0d4914e76b1fa9375ae0aae11d1fc7e0929c7dccadc9fc2a13a32c3ff3ec1
SHA512

279a1d0a6f625c1dc89eff895ec264d1e6b45eb3cb1f3f00a701583c04ac8864108c14b8db8dae58a80c6d740bc8d934f25f8fd35dac1b588c2a6e56dde4bd52
SSDEEP

3072:gxxm9nvR85IsOCHwYJrkvBqd6czLyettLtgYmxChFmrjfXTUvH:8m9nONQYJkvkd7zLyGQobgjfX

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1524-1-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/3140-11-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/2460-108-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/1524-107-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/1524-180-0x0000000000400000-0x000000000044B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 3140	1524	0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe	83
PID 1524 wrote to memory of 3140	1524	0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe	83
PID 1524 wrote to memory of 3140	1524	0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe	83
PID 1524 wrote to memory of 2460	1524	0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe	92
PID 1524 wrote to memory of 2460	1524	0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe	92
PID 1524 wrote to memory of 2460	1524	0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Users\Admin\AppData\Local\Temp\0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:3140
- C:\Users\Admin\AppData\Local\Temp\0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\0d84b7c7410b3d41b0c7079cd8907c38_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\8BF1.F06

Filesize
996B

MD5
03dfa6d43be0738fbb167731e6799d84

SHA1
a708858994b5d9bb3f2fcee84ea4c49d08a05b10

SHA256
90a85d252b60343f138236b75cb240d26eb53ee1a0697e46ce2776df07aa8e8f

SHA512
7710a845a2d7fcd57bd6f9420d857edf41f00f5118deb6e74658b134d017175caf435bb147556aafbbdd1630f03694bfbfec285526982c119f6b503438fc2944

Download Submit
C:\Users\Admin\AppData\Roaming\8BF1.F06

Filesize
600B

MD5
07c23a9450dbc9ac0b45c10696e0cf3b

SHA1
d4938e1e2a0f90626939170087dea2a2bcc3daac

SHA256
be527cbfd30cbe3bb26b92d090fffdc7d9a6a2ba9ea10cb2c69c0f62c12ae465

SHA512
1631104f9108e1bcb136e9ed703cdfb2137b9714cc04b644879a29c8b101b0cca7248a0a44e732b0b7cd0583f2b0eec3d74acd04c1038a52e7468c29600aa4b8

Download Submit
C:\Users\Admin\AppData\Roaming\8BF1.F06

Filesize
1KB

MD5
a11ec38020de78b34bb8133849bf5235

SHA1
7a347a4f3c3e9463325e5dcaf1c38c9b59520acd

SHA256
b9743a335d4c7b7601fbf5e0ae21dc1472ee8d2d2ca554bae6ba9b37b790a506

SHA512
23931a46a7d8a6297108dbe8df5f2000415ab51521b37dd0f2d990cba03e39d4176635a5b6f8d04c1b780e420c774214797ac1ec621178a21278d2a55647f945

Download Submit
memory/1524-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1524-107-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1524-180-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2460-108-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2460-109-0x00000000005D0000-0x00000000005EC000-memory.dmp

Filesize
112KB

Download
memory/3140-11-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3140-12-0x00000000004A0000-0x00000000004BC000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads